3

Possible Duplicates:
PHP: the ultimate clean/secure function
What's the best method for sanitizing user input with PHP?

What should I add to my function to be sure that every string that passes it will be 'server-friendly'? I use this small function to check inputs that contains names, e-mail addresses and ids.

   function checkInput($str) {
        $str = @strip_tags($str);
        $str = @stripslashes($str);
        $str = mysql_real_escape_string($str);
        return $str;
    }
Community
  • 1
  • 1
Stefan
  • 39
  • 1
  • 1
  • 2
  • Agree with Pekka. But to summarize. There is no such thing as what you are trying to do. – DampeS8N Dec 15 '10 at 15:01
  • Everything is context sensitive. It's impossible to have 1 function do it all. For example, you only want to call a `mysql_real_escape_string` on data that's going into the database. And you want to call `htmlspecialchars` only on data as its being rendered. So there's no magic bullet (And there shouldn't be)... – ircmaxell Dec 15 '10 at 15:04

4 Answers4

9

I would remove some special characters thet have nothing to do in such strings and could be used for code injections, like $ % # < > | and so on.

$invalid_characters = array("$", "%", "#", "<", ">", "|");
$str = str_replace($invalid_characters, "", $str);
Thibault Witzig
  • 2,060
  • 2
  • 19
  • 30
4

What should I add to my function to be sure that every string that passes it will be 'server-friendly'?

This should work:

function checkInput($str) {
  return "";
}

For a more detailed explanation, see here

Community
  • 1
  • 1
troelskn
  • 115,121
  • 27
  • 131
  • 155
3

What does server friendly mean?

For validation such as email addresses take a look at data filtering.

To make sure a string is safe for database's use escaping such as mysql_real_escape_string

When outputting data use htmlspecialchars

fire
  • 21,383
  • 17
  • 79
  • 114
0

About DataBase, check PDO placeholders. They are cross DBMS.

Mathias E.
  • 471
  • 3
  • 5